Protecting industrial control systems from cyberattacks

Your organisation′s cyber security defences may be strong, but there will always be a need for entry points. One sure defence is to ensure that access to entry points is well reviewed, logged and audited. But you should also plan for the worst, and be as proactive in internal defences as you are for external ones.

IN ORDER TO BETTER PROTECT INDUSTRIAL control systems (ICS) from cyberattacks, companies should take heed from the wise words of successful military tacticians, and the lessons learned from some of the greatest failures in military defence.

In 2016, NATO officially recognised cyberspace as a warfare domain, an important change that has led many Cyber Security companies to liken their strategies for preparation and defence to Sun Tzu′s philosophies shared in "The Art of War". While it is important to take heed from the wise words of a successful military tactician and philosopher, it is paramount that we look to history for some of the greatest failures in defence so that you may learn from these too.

Historical failures

This article looks at a historical defence failure that mirrors that of many security breaches in the cyber realm, where a persistent threat will take full advantage of an opportunistic weakness in the defender′s wall. This historical event took place in Istanbul in the year 1453, fought by the defending Roman Byzantine rulers and the advancing Ottoman Empire. The Roman rulers erected a series of defence structures that featured large, high walls and secured entrances, spanning the city and protecting it from conquest.

No network is truly isolated from the outside world, and there needs to be a way in for every company to allow for updates and to access equipment remotely.

The legend has it that one of the main gates to the city had been left open by an outbound raiding force. This open gate was quickly discovered by a small group of Ottoman forces, who realised that they could get inside and raise their banner. The ensuing Ottoman forces eventually overwhelmed the city′s internal defences and, as history tells, for the Byzantine and the Roman Empire in the East, the battle was lost.

With the history review out of the way, it is important to pick out the key points presented in this story and take away these nuggets:

Your organisation′s defences may be strong, but will always need entry points.

Ensure that access to entry points is well reviewed, logged and audited.

Plan for the worst; be as proactive in internal defences as your external ones.

"These lessons learnt are great," you may be thinking. "But how do they apply to my Industrial Control System?"

Let′s start with the first one. Your company may not have a wall but you do have a moat, in the form of an air gap. This keeps your operational network seemingly safe from the outside world, with the ′jump′ being too great for your conventional attack. No network, however, is truly isolated from the outside world, just as no city is ever truly isolated by a moat; there needs to be a way in to allow for updates and to access equipment remotely, and this will always leave the possibility for mistakes to be made.

Regular maintenance tasks, such as removing outdated pieces of equipment, could also be likened to our story. Think of it like this: you have your very own Wall of Constantinople in the form of your firewall, and you have gates through that wall in the form of ports. When an engineer removes that piece of equipment, but doesn′t close the port, then you now have an open gate, and one that has turned into an exploitable attack vector. Technology such as Cyber-X can detect these open ports, quickly allowing engineers to close these gates to your operational network.

Most companies understand where their entry points are, but you should also be aware of the times, manner and reasons in which people access them. An early warning sign to a breach on your network is sporadic and unauthorised access to systems.

Detection of these breaches could help to close gaps or even prevent major incidents, but if you notice that there is an entry point that is infrequently used or is now surplus to requirements, then you should consider its removal. Products such as Cyber-X learn about your usual network traffic, making it easy to spot traffic that is unusual for your network, such as traffic that occurs during off-peak hours, unusually large packets or unexpected protocols.

Planning for the worst is not the same as admitting defeat, but rather being prepared to recuperate from the worst possible outcome, often meaning that your disaster recovery will be mature and developed enough to restore services as quickly as possible. Frequently monitoring the state of your network devices allows you to develop customised, efficient and profoundly effective plans that evolve along with your organisation′s scale.